A new firmware-level Android backdoor dubbed Keenadu has been uncovered by Securelist , revealing an advanced and deeply embedded threat that goes beyond traditional app-based malware. Unlike ordinary malicious applications, Keenadu installs itself during the device firmware build process, embedding into a core shared library that is loaded into the Android runtime and then injected into the Zygote process, the parent process responsible for launching all Android apps. This enables the backdoor to run within the context of every app on the device, bypassing standard sandboxing and permission boundaries that typically constrain mobile threats.